[PATCH 4.9 19/92] ip6mr: fix stale iterator

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	syzbot
	<bot+eceb3204562c41a438fa1f2335e0fe4f6886d669@syzkaller.appspotmail.com>,
	Nikolay Aleksandrov <nikolay@cumulusnetworks.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 19/92] ip6mr: fix stale iterator
Date: Fri,  9 Feb 2018 14:38:48 +0100	[thread overview]
Message-ID: <20180209133932.686900142@linuxfoundation.org> (raw)
In-Reply-To: <20180209133931.211869118@linuxfoundation.org>

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>

[ Upstream commit 4adfa79fc254efb7b0eb3cd58f62c2c3f805f1ba ]

When we dump the ip6mr mfc entries via proc, we initialize an iterator
with the table to dump but we don't clear the cache pointer which might
be initialized from a prior read on the same descriptor that ended. This
can result in lock imbalance (an unnecessary unlock) leading to other
crashes and hangs. Clear the cache pointer like ipmr does to fix the issue.
Thanks for the reliable reproducer.

Here's syzbot's trace:
 WARNING: bad unlock balance detected!
 4.15.0-rc3+ #128 Not tainted
 syzkaller971460/3195 is trying to release lock (mrt_lock) at:
 [<000000006898068d>] ipmr_mfc_seq_stop+0xe1/0x130 net/ipv6/ip6mr.c:553
 but there are no more locks to release!

 other info that might help us debug this:
 1 lock held by syzkaller971460/3195:
  #0:  (&p->lock){+.+.}, at: [<00000000744a6565>] seq_read+0xd5/0x13d0
 fs/seq_file.c:165

 stack backtrace:
 CPU: 1 PID: 3195 Comm: syzkaller971460 Not tainted 4.15.0-rc3+ #128
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
 Google 01/01/2011
 Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  print_unlock_imbalance_bug+0x12f/0x140 kernel/locking/lockdep.c:3561
  __lock_release kernel/locking/lockdep.c:3775 [inline]
  lock_release+0x5f9/0xda0 kernel/locking/lockdep.c:4023
  __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline]
  _raw_read_unlock+0x1a/0x30 kernel/locking/spinlock.c:255
  ipmr_mfc_seq_stop+0xe1/0x130 net/ipv6/ip6mr.c:553
  traverse+0x3bc/0xa00 fs/seq_file.c:135
  seq_read+0x96a/0x13d0 fs/seq_file.c:189
  proc_reg_read+0xef/0x170 fs/proc/inode.c:217
  do_loop_readv_writev fs/read_write.c:673 [inline]
  do_iter_read+0x3db/0x5b0 fs/read_write.c:897
  compat_readv+0x1bf/0x270 fs/read_write.c:1140
  do_compat_preadv64+0xdc/0x100 fs/read_write.c:1189
  C_SYSC_preadv fs/read_write.c:1209 [inline]
  compat_SyS_preadv+0x3b/0x50 fs/read_write.c:1203
  do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
  do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
  entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
 RIP: 0023:0xf7f73c79
 RSP: 002b:00000000e574a15c EFLAGS: 00000292 ORIG_RAX: 000000000000014d
 RAX: ffffffffffffffda RBX: 000000000000000f RCX: 0000000020a3afb0
 RDX: 0000000000000001 RSI: 0000000000000067 RDI: 0000000000000000
 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 BUG: sleeping function called from invalid context at lib/usercopy.c:25
 in_atomic(): 1, irqs_disabled(): 0, pid: 3195, name: syzkaller971460
 INFO: lockdep is turned off.
 CPU: 1 PID: 3195 Comm: syzkaller971460 Not tainted 4.15.0-rc3+ #128
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
 Google 01/01/2011
 Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6060
  __might_sleep+0x95/0x190 kernel/sched/core.c:6013
  __might_fault+0xab/0x1d0 mm/memory.c:4525
  _copy_to_user+0x2c/0xc0 lib/usercopy.c:25
  copy_to_user include/linux/uaccess.h:155 [inline]
  seq_read+0xcb4/0x13d0 fs/seq_file.c:279
  proc_reg_read+0xef/0x170 fs/proc/inode.c:217
  do_loop_readv_writev fs/read_write.c:673 [inline]
  do_iter_read+0x3db/0x5b0 fs/read_write.c:897
  compat_readv+0x1bf/0x270 fs/read_write.c:1140
  do_compat_preadv64+0xdc/0x100 fs/read_write.c:1189
  C_SYSC_preadv fs/read_write.c:1209 [inline]
  compat_SyS_preadv+0x3b/0x50 fs/read_write.c:1203
  do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
  do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
  entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
 RIP: 0023:0xf7f73c79
 RSP: 002b:00000000e574a15c EFLAGS: 00000292 ORIG_RAX: 000000000000014d
 RAX: ffffffffffffffda RBX: 000000000000000f RCX: 0000000020a3afb0
 RDX: 0000000000000001 RSI: 0000000000000067 RDI: 0000000000000000
 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 WARNING: CPU: 1 PID: 3195 at lib/usercopy.c:26 _copy_to_user+0xb5/0xc0
 lib/usercopy.c:26

Reported-by: syzbot <bot+eceb3204562c41a438fa1f2335e0fe4f6886d669@syzkaller.appspotmail.com>
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/ip6mr.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -495,6 +495,7 @@ static void *ipmr_mfc_seq_start(struct s
 		return ERR_PTR(-ENOENT);

 	it->mrt = mrt;
+	it->cache = NULL;
 	return *pos ? ipmr_mfc_seq_idx(net, seq->private, *pos - 1)
 		: SEQ_START_TOKEN;
 }

next prev parent reply	other threads:[~2018-02-09 13:38 UTC|newest]

Thread overview: 113+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-02-09 13:38 [PATCH 4.9 00/92] 4.9.81-stable review Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 01/92] powerpc/pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 02/92] powerpc/64: Add macros for annotating the destination of rfid/hrfid Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 03/92] powerpc/64: Convert fast_exception_return to use RFI_TO_USER/KERNEL Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 04/92] powerpc/64: Convert the syscall exit path " Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 05/92] powerpc/64s: Convert slb_miss_common " Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 06/92] powerpc/64s: Add support for RFI flush of L1-D cache Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 07/92] powerpc/64s: Support disabling RFI flush with no_rfi_flush and nopti Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 08/92] powerpc/pseries: Query hypervisor for RFI flush settings Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 09/92] powerpc/powernv: Check device-tree " Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 10/92] powerpc/64s: Wire up cpu_show_meltdown() Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 11/92] powerpc/64s: Allow control of RFI flush via debugfs Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 12/92] auxdisplay: img-ascii-lcd: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 13/92] pinctrl: pxa: pxa2xx: " Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 14/92] ASoC: pcm512x: " Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 16/92] x86/pti: Make unpoison of pgd for trusted boot work for real Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 17/92] kaiser: allocate pgd with order 0 when pti=off Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 18/92] serial: core: mark port as initialized after successful IRQ change Greg Kroah-Hartman
2018-02-09 13:38 ` Greg Kroah-Hartman [this message]
2018-02-09 13:38 ` [PATCH 4.9 20/92] net: igmp: add a missing rcu locking section Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 21/92] qlcnic: fix deadlock bug Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 23/92] r8169: fix RTL8168EP take too long to complete driver initialization Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 24/92] tcp: release sk_frag.page in tcp_disconnect Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 25/92] vhost_net: stop device during reset owner Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 26/92] tcp_bbr: fix pacing_gain to always be unity when using lt_bw Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 27/92] cls_u32: add missing RCU annotation Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 28/92] ipv6: Fix SO_REUSEPORT UDP socket with implicit sk_ipv6only Greg Kroah-Hartman
2018-02-09 13:38 ` [PATCH 4.9 30/92] x86/asm: Fix inline asm call constraints for GCC 4.4 Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 31/92] x86/microcode/AMD: Do not load when running on a hypervisor Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 32/92] media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 33/92] b43: Add missing MODULE_FIRMWARE() Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 34/92] KEYS: encrypted: fix buffer overread in valid_master_desc() Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 35/92] x86/retpoline: Remove the esp/rsp thunk Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 36/92] KVM: x86: Make indirect calls in emulator speculation safe Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 37/92] KVM: VMX: Make indirect call " Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 38/92] module/retpoline: Warn about missing retpoline in module Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 39/92] x86/cpufeatures: Add CPUID_7_EDX CPUID leaf Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 40/92] x86/cpufeatures: Add Intel feature bits for Speculation Control Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 41/92] x86/cpufeatures: Add AMD " Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 42/92] x86/msr: Add definitions for new speculation control MSRs Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 43/92] x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown Greg Kroah-Hartman
2018-02-13 13:34   ` Nick Lowe
2018-02-13 15:00     ` Greg Kroah-Hartman
2018-02-13 15:09       ` Arjan van de Ven
2018-02-13 15:27         ` Nick Lowe
2018-02-13 16:32           ` Greg Kroah-Hartman
2018-02-16 13:15             ` Nick Lowe
2018-02-16 16:56               ` Nick Lowe
2018-02-13 15:56         ` Andi Kleen
2018-02-13 16:02           ` Thomas Gleixner
2018-02-13 16:10             ` Borislav Petkov
2018-02-13 16:18           ` Dave Hansen
2018-02-09 13:39 ` [PATCH 4.9 44/92] x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 45/92] x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 46/92] x86/alternative: Print unadorned pointers Greg Kroah-Hartman
2018-02-09 22:01   ` Kees Cook
2018-02-10  7:23     ` Greg Kroah-Hartman
2018-02-10 19:14       ` Kees Cook
2018-02-10 19:21         ` Borislav Petkov
2018-02-13  9:16           ` Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 47/92] x86/nospec: Fix header guards names Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 48/92] x86/bugs: Drop one "mitigation" from dmesg Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 50/92] x86/cpufeatures: Clean up Spectre v2 related CPUID flags Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 51/92] x86/retpoline: Simplify vmexit_fill_RSB() Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 52/92] x86/spectre: Check CONFIG_RETPOLINE in command line parser Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 53/92] x86/entry/64: Remove the SYSCALL64 fast path Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 54/92] x86/entry/64: Push extra regs right away Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 55/92] x86/asm: Move status from thread_struct to thread_info Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 56/92] Documentation: Document array_index_nospec Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 57/92] array_index_nospec: Sanitize speculative array de-references Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 58/92] x86: Implement array_index_mask_nospec Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 59/92] x86: Introduce barrier_nospec Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 60/92] x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 61/92] x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end} Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 62/92] x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 63/92] x86/get_user: Use pointer masking to limit speculation Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 64/92] x86/syscall: Sanitize syscall table de-references under speculation Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 65/92] vfs, fdtable: Prevent bounds-check bypass via speculative execution Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 66/92] nl80211: Sanitize array index in parse_txq_params Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 67/92] x86/spectre: Report get_user mitigation for spectre_v1 Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 68/92] x86/spectre: Fix spelling mistake: "vunerable"-> "vulnerable" Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 69/92] x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 70/92] x86/paravirt: Remove noreplace-paravirt cmdline option Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 71/92] x86/kvm: Update spectre-v1 mitigation Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 72/92] x86/retpoline: Avoid retpolines for built-in __init functions Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 73/92] x86/spectre: Simplify spectre_v2 command line parsing Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 74/92] x86/pti: Mark constant arrays as __initconst Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 75/92] x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 76/92] KVM: nVMX: kmap() cant fail Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 77/92] KVM: nVMX: vmx_complete_nested_posted_interrupt() " Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 80/92] KVM: VMX: introduce alloc_loaded_vmcs Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 81/92] KVM: VMX: make MSR bitmaps per-VCPU Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 82/92] KVM/x86: Add IBPB support Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 83/92] KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 84/92] KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 85/92] KVM/SVM: " Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 87/92] ASoC: simple-card: Fix misleading error message Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 88/92] ASoC: rsnd: dont call free_irq() on Parent SSI Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 89/92] ASoC: rsnd: avoid duplicate free_irq() Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.9 90/92] drm: rcar-du: Use the VBK interrupt for vblank events Greg Kroah-Hartman
2018-02-09 13:40 ` [PATCH 4.9 91/92] drm: rcar-du: Fix race condition when disabling planes at CRTC stop Greg Kroah-Hartman
2018-02-09 13:40 ` [PATCH 4.9 92/92] x86/microcode: Do the family check first Greg Kroah-Hartman
2018-02-09 20:18 ` [PATCH 4.9 00/92] 4.9.81-stable review Shuah Khan
2018-02-09 21:32 ` Dan Rue
2018-02-10 15:46 ` Guenter Roeck
2018-02-13  9:36   ` Greg Kroah-Hartman
2018-02-13 14:30     ` Guenter Roeck
2018-02-13 15:29       ` Greg Kroah-Hartman
2018-02-17 13:31         ` Yves-Alexis Perez
2018-02-17 13:45           ` Greg Kroah-Hartman
2018-02-17 17:35             ` Guenter Roeck
2018-02-18 17:25               ` Yves-Alexis Perez
2018-02-20 10:40               ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180209133932.686900142@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=bot+eceb3204562c41a438fa1f2335e0fe4f6886d669@syzkaller.appspotmail.com \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nikolay@cumulusnetworks.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).